[nginx] OCSP: fixed use-after-free on error.
Roman Arutyunyan
arut at nginx.com
Fri Jun 19 14:02:03 UTC 2020
details: https://hg.nginx.org/nginx/rev/1ece2ac2555a
branches:
changeset: 7667:1ece2ac2555a
user: Roman Arutyunyan <arut at nginx.com>
date: Mon Jun 15 20:17:16 2020 +0300
description:
OCSP: fixed use-after-free on error.
When validating second and further certificates, ssl callback could be called
twice to report the error. After the first call client connection is
terminated and its memory is released. Prior to the second call and in it
released connection memory is accessed.
Errors triggering this behavior:
- failure to create the request
- failure to start resolving OCSP responder name
- failure to start connecting to the OCSP responder
The fix is to rearrange the code to eliminate the second call.
diffstat:
src/event/ngx_event_openssl_stapling.c | 43 ++++++++++++++++-----------------
1 files changed, 21 insertions(+), 22 deletions(-)
diffs (108 lines):
diff -r 8cf31489b479 -r 1ece2ac2555a src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c Mon Jun 15 17:35:26 2020 -0400
+++ b/src/event/ngx_event_openssl_stapling.c Mon Jun 15 20:17:16 2020 +0300
@@ -980,6 +980,7 @@ ngx_ssl_ocsp_validate_next(ngx_connectio
if (ocsp->ncert == n - 1 || (ocf->depth == 2 && ocsp->ncert == 1)) {
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
"ssl ocsp validated, certs:%ui", ocsp->ncert);
+ rc = NGX_OK;
goto done;
}
@@ -988,7 +989,8 @@ ngx_ssl_ocsp_validate_next(ngx_connectio
ctx = ngx_ssl_ocsp_start(c->log);
if (ctx == NULL) {
- goto failed;
+ rc = NGX_ERROR;
+ goto done;
}
ocsp->ctx = ctx;
@@ -1012,8 +1014,9 @@ ngx_ssl_ocsp_validate_next(ngx_connectio
ctx->uri = ocf->uri;
ctx->port = ocf->port;
- if (ngx_ssl_ocsp_responder(c, ctx) != NGX_OK) {
- goto failed;
+ rc = ngx_ssl_ocsp_responder(c, ctx);
+ if (rc != NGX_OK) {
+ goto done;
}
if (ctx->uri.len == 0) {
@@ -1025,7 +1028,7 @@ ngx_ssl_ocsp_validate_next(ngx_connectio
rc = ngx_ssl_ocsp_cache_lookup(ctx);
if (rc == NGX_ERROR) {
- goto failed;
+ goto done;
}
if (rc == NGX_DECLINED) {
@@ -1051,12 +1054,12 @@ ngx_ssl_ocsp_validate_next(ngx_connectio
done:
- ocsp->status = NGX_OK;
- return;
-
-failed:
-
- ocsp->status = NGX_ERROR;
+ ocsp->status = rc;
+
+ if (c->ssl->in_ocsp) {
+ c->ssl->handshaked = 1;
+ c->ssl->handler(c);
+ }
}
@@ -1073,22 +1076,16 @@ ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t
rc = ngx_ssl_ocsp_verify(ctx);
if (rc != NGX_OK) {
- ocsp->status = rc;
- ngx_ssl_ocsp_done(ctx);
goto done;
}
rc = ngx_ssl_ocsp_cache_store(ctx);
if (rc != NGX_OK) {
- ocsp->status = rc;
- ngx_ssl_ocsp_done(ctx);
goto done;
}
if (ctx->status != V_OCSP_CERTSTATUS_GOOD) {
ocsp->cert_status = ctx->status;
- ocsp->status = NGX_OK;
- ngx_ssl_ocsp_done(ctx);
goto done;
}
@@ -1096,15 +1093,17 @@ ngx_ssl_ocsp_handler(ngx_ssl_ocsp_ctx_t
ngx_ssl_ocsp_validate_next(c);
+ return;
+
done:
- if (ocsp->status == NGX_AGAIN || !c->ssl->in_ocsp) {
- return;
+ ocsp->status = rc;
+ ngx_ssl_ocsp_done(ctx);
+
+ if (c->ssl->in_ocsp) {
+ c->ssl->handshaked = 1;
+ c->ssl->handler(c);
}
-
- c->ssl->handshaked = 1;
-
- c->ssl->handler(c);
}
More information about the nginx-devel
mailing list